There are two parts to this issue, both of which occur when the user has their Network Management Card product configured for SSL (HTTPS).

Companies such as Microsoft, Mozilla, and Google are disabling SSLv3.0 in their browser products due to numerous security vulnerabilities that exist. One such vulnerability is POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf). TLSv1.0, at a minimum, is the advised protocol.

TLS does not work on the current NMC products. Therefore, the NMC will fall back to SSLv3.0 and as such, be vulnerable to POODLE.

Examples:

An example of this problem, shown via Firefox, is below. A NetBotz Rack Monitor 200 (SKU# NBRK0201) is configured for HTTPS. The user has Firefox v34.0 installed. The user opens their web browser and types the IP address into address bar. The user is presented with the following error message:

Another example of this problem, via Internet Explorer, is below. A NetBotz Rack Monitor 200 (SKU# NBRK0201) is configured for HTTPS. The user has Internet Explorer v11.0 installed. The user opens their web browser and types the IP address into address bar. The user is presented with the following error message:

Another example of this problem, via Chrome, is below. An AP9631 Network Management Card is configured for HTTPS. The user has Chrome v39 installed. The user opens their web browser and types the IP address into the address bar. The user is presented with the following error message:

Note:If you've receivedmozilla_pkix_error_inadequate_key_size, sec_error_invalid_key, or anything referring to invalid key size/length, please consider reviewing knowledge base article ID FA162031 as this may be due to a separate issue entirely or an additional issue.

Any customer who uses any one of the products mentioned previously and:

Configures their product for SSL (HTTPS).

Uses a web browser version that does not allow for web access via SSLv3.0.

Note: HTTP users are not affected. Meaning, if you have not enabled HTTPS (SSL), web browsing will work normally.

Cause

Companies such as Microsoft, Mozilla, and Google are disabling SSLv3.0 in their browser products due to numerous security vulnerabilities that exist. One such example is POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf). TLSv1.0, at a minimum, is the advised protocol.

Current NMC products have an inability to properly utilize TLS extensions recently released in several modern browsers. With this inability, the NMC device is unable to connect to the browser via TLS. While future versions of the NMC1 devices will not update the underlying cryptology engine, NMC2 devices will be updated to work with current TLS specification and and operate properly with modern browsers.

Resolution

A customer can avoid this problem either by utilizing other access methods on the Network Management Card or they can modify their web browser to allow SSLv3.0 usage (at their own discretion). Other access methods for the Network Management Card are as follows:

Local console

Web (HTTP)

Telnet/SSH

SNMPv1/v3

Modifying a web browser to allow SSLv3.0 usage should be addressed by the user’s network security team or facility manager. Schneider Electric will not provide users with instructions on modifying web browser settings. Some users may be prohibited from enabling SSLv3.0 through their web browser.

Any of the following NMC1 products do not currently have any firm future firmware update plans to address this or any future vulnerabilities:

Note: Certain browsers may also require setting changes to allow TLS 1.0 or TLS 1.0 fallback too, such as Firefox v37+. Schneider Electric will not provide step by step instructions for modfying web browser settings for liability reasons but if you're comfortable modifying settings at your own risk, security.tls.version.fallback-limit within Firefox will likely need to be changed from a default value of 3 (forcing TLS 1.2) to a value of 1 to allow fallback to TLS 1.0. This setting also sometimes resets itself between Firefox browser upgrades. Newer Chrome versions may require --ssl-version-fallback-min=tls1 to be appended to the program shortcut.

A fix to address this problem in the Network Management Card 2 (NMC2) and NMC2 enabled devices has been implemented. The release date will be determined on a product by product basis. See below for available updates for NMC2 firmware applications. These updates provide TLS 1.0, TLS 1.1 and TLS 1.2 functionality.

Can this problem be confused with other error messages generated by the Network Management Card?

Yes, a user may receive different error messages relating to SSL/TLS when configuring or accessing their Network Management Card device. It is imperative that Schneider Electric and the user identify the exact error message that the user is receiving and confirm that it relates to this specific issue, related to SSLv3.0.

For example, similar symptoms could be experienced by the issue in knowledge base article ID FA162031 - Network Management Card 1 (NMC1) Information Bulletin: Effects of Microsoft Internet Explorer and other web browsers blocking key lengths less than 1024 bits​(blocking key lengths less than 1024 bits)

Note: If there are any questions, problems, or concerns related to the content of this article, please contact your local technical support team for further assistance.